SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Apple GarageBand Vendors:   Apple
Apple GarageBand Flaw Lets Remote Users Modify Safari Cookie Preferences
SecurityTracker Alert ID:  1022649
SecurityTracker URL:  http://securitytracker.com/id/1022649
CVE Reference:   CVE-2009-2198   (Links to External Site)
Date:  Aug 4 2009
Impact:   Disclosure of user information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Apple GarageBand. A remote user can set cookies on the target user's Safari browser.

When GarageBand is opened, the Safari accept cookies preferences are changed to "any". This may allow third parties to track the target user's web visits.

The default preference is "only from sites I visit".

Impact:   A remote user can set cookies on the target user's Safari browser.
Solution:   The vendor has issued a fix (5.1), available via the Apple Software Update application, or Apple's GarageBand download site at:

http://support.apple.com/downloads/#garageband

GarageBand for Mac OS X v10.5.7
The download file is named: GarageBand51.dmg
Its SHA-1 digest is: 7c771583c826c8c70e5c5f01d925e28636d0364d

The vendor recommends that users that have run previous versions of GarageBand confirm that their Safari preferences are set as intended.

The vendor's advisory is available at:

http://support.apple.com/kb/HT3732

Vendor URL:  support.apple.com/kb/HT3732 (Links to External Site)
Cause:   Access control error
Underlying OS:  UNIX (macOS/OS X)
Underlying OS Comments:  10.5.7

Message History:   None.


 Source Message Contents

Subject:  APPLE-SA-2009-08-03-1 GarageBand 5.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2009-08-03-1 GarageBand 5.1

GarageBand 5.1 is now available and addresses the following:

GarageBand
CVE-ID:  CVE-2009-2198
Available for:  Mac OS X v10.5.7
Impact:  A user's web activity may be tracked by third parties and
advertisers
Description:  When GarageBand is opened, Safari's preferences are
changed to always accept cookies. The default preference is to accept
cookies only for the sites being visited. The altered setting may
allow third parties and advertisers to track a user's web activity.
This update addresses the issue by not changing the preference
setting. Users who have run previous versions of GarageBand should
confirm that their Safari preferences are set as desired.


GarageBand 5.1 is available via the Apple Software Update
application, or Apple's GarageBand download site at:
http://support.apple.com/downloads/#garageband

GarageBand for Mac OS X v10.5.7
The download file is named: GarageBand51.dmg
Its SHA-1 digest is: 7c771583c826c8c70e5c5f01d925e28636d0364d

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)

iQEcBAEBAgAGBQJKd2HkAAoJEHkodeiKZIkB7TAH/1MF2S1ySoIfJOCCtdKzZdJ0
ybQGdzJDls6v5o1pBIEbeCcRRR21nVFlI4Q0cyU2QVqeY9Wpsk+YD3SivW1BMxpK
p0boHNfFdd2nbxH9tZ9DFsaoY3YIBIO7aJpc7GI3oK8iZ1XZic3z7QG0QcnIsLpg
AB+nXLkOPEilfnF7JJU5ZT//NVSkrJcC/YleClP9Nuj9YgTUNxBCV09hYgU1I+ny
Z4CJrha9v0OHK35+PzGnGbJUZ0YWs8mg1p+XWkrt19AyGC/tUdpuk4oALvmIE2HA
v4puvcrUF6C5n9njz+3OtlL2yK9suo64AqYlEAVspglo44+mY/4X7O2cjPgcpPI=
=RghO
-----END PGP SIGNATURE-----
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (Security-announce@lists.apple.com)
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC